PHP Object Injection & Serialization Vulnerabilities
Mukarram Khalid • November 27, 2016
phpPHP Object injection vulnerabilities can be fairly hard to exploit in a black box penetration testing scenario. In this tutorial, I'm gonna show you guys how serialization vulnerabilities actually work in PHP. I'm going to cover the following points in this video tutorial.
Intro
In this tutorial, I'm going to cover the basics of PHP Objection Injection and Serialization vulnerabilities using some test applications.
Serialization Vulnerabilities in Other Languages
Serialization vulnerabilities are not just native to PHP. These vulnerabilities exist in different languages under different names. For example, we've heard a lot about Java deserialization vulnerabilities which can lead to code execution. Similar vulnerabilities exist in Python module pickle which can lead to code execution while unpickling the data. So, make sure you never pass untrusted data to unserialization functions.
PHP Classes & Objects
In object-oriented programming, a class is an extensible code template for creating objects, providing initial values for state properties and implementing different behaviors (methods). This is what a class looks like in PHP.
<?php
class Test
{
public $name = 'makman';
}
$object = new Test;
Magic Methods
Magic methods are built-in functions in PHP which allow you to react when certain events trigger, which can be used to exploit PHP Object Injection Vulnerabilities because in most cases, these methods get called automatically. For example, __destruct()
will be called as soon as there are no other references to a particular object during the shutdown sequence. You can read more about magic methods on the official documentation of PHP.
Example App 1
To show you guys how to exploit PHP Object Injection, I've created a test application.
<?php
class App
{
public $logFile = 'logs.txt';
public $logData = 'test';
public function checkSerives()
{
echo '[+] Checking Services.<br>';
$this->logData = 'Success';
}
public function __destruct()
{
file_put_contents(__DIR__ . '/' . $this->logFile, $this->logData);
echo '[+] Logs written to log file.<br>';
}
}
$userInput = $_GET['data'] ?? '';
$someData = unserialize($userInput);
$app = new App;
$app->checkSerives();
For the exploitation part, please refer to the video.
Example App 2
For the second example, I'm going to use the Xtreme Vulnerable Web Application (XVWA) created by s4n7h0.
Closing Notes
Serialization functions should be used with great care. In most cases, you can use JSON encoding instead of serialization, which is comparatively easier to handle.